Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sat May 23, 2009 7:31 am Reply with quote

A few weeks ago I was on the phone with one of the users of my bicycle club site as she tried to enter a news article. She is a very well educated and intelligent lady, a former reading teacher -- but not particularly facile with the computer. One of the purposes of having RN sites is that people such as this can put information on our sites with minimal administrator intervention ... I think.

So I coaxed her through clicking on submit news and explained how to enter the title and what to do in the wysiwyg box and what the toolbar icons there meant and how to paste something she had in Word in. After a few fits and starts all was good. She did the preview, then the submit. Then "oh d***ed Frank, it went away". I could see no submission in the waiting content area on my end so I asked specifically what she had seen. "Well there were some squiggly characters up on the screen and I didn't know what to do so I hit something". Lord knows what she hit but after trying the back key and other things I concluded the article was indeed lost somewhere in cyber space. In this case I just had her send me the article by email and I posted it but then I got to thinking ...

If you run a site and you don't allow anonymous to post (and that's the only sane option IMHO) then they have to be logged in to be able to submit news or a forum topic or do any other entry. And if you require CAPTCHA on the login then they have already passed that barrier once. Why require it for every entry?

After thinking it over I've just gone in and changed my rnconfig.php to only require captcha for anonymous. I believe other protections will keep anonymous from even getting this far (they shouldn't see submit news if the module is for registered users only for instance). But registered and logged in users will not have to pass captcha for every submission. One less annoyance.

I'll post back if I get spammed cause of this. I was going to post the section of rnconfig but it is very self-explanatory so I won't. You just need to change a bunch of variables to the value 1 instead of the default value of 3.
 
View user's profile Send private message Visit poster's website
FireATST
RavenNuke(tm) Development Team



Joined: Jun 12, 2004
Posts: 654
Location: Ohio

PostPosted: Sat May 23, 2009 6:54 pm Reply with quote

humm, sometimes the simplest answers appear to be right in front of our faces. That is an excellent idea Fkelly. Will be interested to see the follow up on this....Smile
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Sun May 24, 2009 11:06 am Reply with quote

It depends on how you allow registering. For instance, this site allows anyone to register w/o a background check Laughing. Probably a couple times a month (on average) a registered user will post spam and/or other crap. By only requiring anonymous to use the captcha then these registered users can easily automate their spamming and my issues would compound. So, there are definitely pro's and con's.
 
View user's profile Send private message
fkelly







PostPosted: Sun May 24, 2009 4:00 pm Reply with quote

I agree there are pros and cons. I run a much smaller site than you do. While I don't do a thorough background check on new users I do see and approve them (thanks to RNYA). Someone could get in using an "innocent looking" email address and then spam me ... no question. It is just a trade off. My users are not committed computer folks and the captcha is a big annoyance to them and discourages them from posting so I am trying it the way I stated in the initial post. If I get spammed a lot I may have to go back to the old captcha settings.
 
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Mon May 25, 2009 9:13 am Reply with quote

I'll be honest, the whole reason why I wanted to add the Captcha to the interior modules is to stop auto-spam with a twist. I was noticing an actual human being would physically create a new account, then log in, and then BAM, hit the auto-spam "button" and a whole slew of crap got into my new comments.

I even had someone once manually create five comments and then finally gave up... I am sure they got tired of having to enter in a captcha each time. lol.

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
TAd
Worker
Worker



Joined: Oct 11, 2004
Posts: 127
Location: Oregon, USA

PostPosted: Wed Mar 23, 2011 8:55 am Reply with quote

I require admin permission and only require the Captca to create an account. To be honest, I am not sure why I do that. Captcha has been defeated already from the articles I have read (albeit sometime ago, and I am sure it continues). So in a way all I am doing is annoying users (me) with the system, to some degree.

From my own personal experience, when Captcha is enabled, I often have to try multiple times to get passed it. I have 20/15 vision, I can see it, I am also not color blind. It is that Captcha data is often very obscure, words from languages that may hold no meaning for me (not easily recognizable). It can have letters that are sometimes ill formed or distorted, or it simply runs letters together. Often a combination of some or all these elements are implemented. Captcha makes me want to go have my eyes checked at times. Now obviously there are different "schemes" (for lack of a better term) for Captcha. Some I do find easier to read than others.

From Captcha Devs :
Image

As you can see, some are easier to make out than others. But nearly all of them are easier to read than those I see most often. A simple Google search of images will demonstrate far better than I am able to articulate.

Google search: bad captcha click on Images. (link too long to post),
or Google "insert bad word" captcha and click on images. There are also good ones searching Captcha fail .

In my opinion, when it becomes more of a problem for real people, and not computers, I have to pass. This is where I miss the Spam Stopper Module. It looked for spamming in posts etc. and used to block them and ban them immediately for the times I was not available to do so. Sadly, when my site was offline, I had a backup HDD failure and lost it. Crying or Very sad

Now, I am not saying scrap Captcha, but Captcha is in need of some work. If any security tool becomes a burden to users, and they shut it off, one should figure out why that is (Vista UAC is a good example). You have to consciously maintain a balance between security and usability. If the tools available are not deemed usable, they will be shut off.

I appreciate this thread, as it provides me an oppurtunity to stop and think about security for a bit. As well as learn so new things! Now on to my search for a fix of the "link modification" request that seems to be open to Anonymous... Shocked


Last edited by TAd on Wed Mar 23, 2011 6:50 pm; edited 1 time in total 
View user's profile Send private message Yahoo Messenger
TAd







PostPosted: Wed Mar 23, 2011 8:58 am Reply with quote

I am sorry for bumping an old thread!! I just looked at the date of the last post (after I made my post).
 
Raven







PostPosted: Wed Mar 23, 2011 9:32 am Reply with quote

NP!
 
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Fri Mar 25, 2011 9:42 pm Reply with quote

As Raven said, there are pro's and con's to using CAPTCHA.
I find the RN CAPTCHA very readable but then I always wear my reading glasses when at the PC and of course (if you really must) you can adjust the amount 'interference' within the Class file.

I don't actually get a lot of incoming data from visitors (News etc) so I'm happy to leave the CAPTCHA on but as montego stated, we have both seen cases where genuine humand have registered and then proceeded to spam parts of the site before finally giving up after a few submissions because it is simply too much effort.

@ TAd Spam Stopper (now renamed as Site Guardian due to added functionality) is actually being re-written right now.
 
View user's profile Send private message Send e-mail
TAd







PostPosted: Sat Mar 26, 2011 3:29 am Reply with quote

It is always interesting to see how different people all running websites, which have different content/purposes, deal with similar yet distinct hurdles.

I am glad it is being re-written/re-released, I made a comment on the CA forums about it as I am eager to get that kind of a system up and running again on my site! Very Happy
 
wHiTeHaT
Life Cycles Becoming CPU Cycles



Joined: Jul 18, 2004
Posts: 579

PostPosted: Mon Mar 28, 2011 1:02 pm Reply with quote

I think it would be wise (in fkelly's scenario) to show an alert if captcha field is empty.
Or dont show the post button in the page @all but show the button after the captcha is accepted.
 
View user's profile Send private message Send e-mail
fkelly







PostPosted: Mon Mar 28, 2011 1:49 pm Reply with quote

Looking back at one of my previous posts it was almost 2 years ago (May 2009). I had CAPTCHA turned off on my bike club site then and I still do now. No spam because I approve waiting users individually. On a test site that I ran for a long time I accidentally turned approve users off for a while. Within a week I had people spamming the forums there. CAPTCHA doesn't stop it; approve users usually will ... the one that's built into RNYA.

When I'm feeling brain dead (or maybe I should say more brain dead than usual) I sometimes just browse through the wonderful tool Bob Marion bequeathed to us ... IP tracking. Everyday I see at least a few people trying to break into Your Account and assign themselves a username without my approval. I usually ban their IP when I see that pattern although I know it is kind of futile.
 
montego







PostPosted: Mon Mar 28, 2011 4:28 pm Reply with quote

Just another quick comment, the current captcha that is in RN has been around now for what 2 - 3 years? If it had been cracked, wouldn't we have all been suffering from tons of automated setups and spammy posts? I haven't seen them. Wink
 
Susann
Moderator



Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Tue Mar 29, 2011 8:57 am Reply with quote

I have found in my logs entries where someone looked if my RN website uses a captcha. I´m glad I have it always enabled and no spam til today.
I have not had XRummer attacks in the past but I´m quite sure it will not work.
In my opinion a Captcha is only one method to prevent spam and automatic registration but there are severall other ways too.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©